Law.com Subscribers SAVE 30%
Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.
The Eyes (and Privacy Laws) of Texas Are Upon You
Consistent with the cliché that “everything's bigger in Texas,” the Texas legislature has introduced not one, but two separate bills relating to the privacy of personal information. Although still in their nascent stages, both bills — the Texas Privacy Protection Act (TPPA) (H.B. 4390) and The Texas Consumer Privacy Act (TCPA) (H.B. 4518) —follow California's lead in creating enhanced and stringent privacy protections for individual consumers.
The TCPA models the California Consumer Privacy Act (CCPA) pretty closely, while the TPPA focuses on collecting online data and requires businesses to maintain a comprehensive data security program. Since Cybersecurity Law & Strategy has covered the CCPA in previous issues, this article focuses on the TPPA.
The TPPA is arguably the less onerous of the two bills, although you might not necessarily realize it at first blush, given the broad way it defines “personal identifying information” (PII). In addition to the traditional categories of information protected by privacy statutes (social security number, driver's license numbers, credit card or financial account information, etc.), PII includes biometric information (fingerprint, voice print, retina or iris image, or any other unique physical representation), religious affiliation or practice information, racial or ethnic origin information, unique genetic information, physical or mental health information, precise geolocation data and the private communications or other user-created content of an individual that is not publicly available. This alone will considerably expand the scope of entities that will likely have to comply with the law.
|Compliance
In terms of who must comply with the law, the TPPA would only apply to for profit businesses that: 1) do business in Texas; 2) have more than 50 employees (but the employees do not have to reside or work in Texas); 3) collects the personal identifying information of more than 5,000 individuals, households, or devices or has that information collected on the business's behalf; and 4) either: A) has annual gross revenue in an amount that exceeds $25 million; or B) derives 50% or more of the business's annual revenue by processing personal identifying information. Note that requirement 3) above refers to “individuals, households, or devices,” not to “Texas residents.” This means that if an Internet business has only a handful of customers in Texas, but numerous customers elsewhere, it could still theoretically be subject to the requirements of this law.
|Collecting PII
Most categories of PII are covered under the TPPA, but there are exemptions for publicly available information, information covered under certain federal or Texas statutes (HIPAA, the Texas Medical Records Privacy Act, GLBA, the Fair Credit Reporting Act and FERPA), information collected solely to facilitate the transmission/routing of PII between or among businesses, and PII transmitted to and from the individual to whom the PII relates if the collector of the information does not access, review or modify the content of the information, or otherwise perform or conduct any analytical, algorithmic, or machine learning processes on the information.
The TPPA includes most of the requirements/restrictions on the collection and processing of PII that we have come to expect from expanded privacy laws. Generally, the purpose for the collection/processing needs to be properly disclosed to the consumer and the information must be relevant to accomplish that purpose and used only for that purpose. If a third party is involved in the processing of the PII, the individual must be provided with the name of that third party and the scope of their involvement with the processing. The relevant notification must be clear, drafted in plain language and easy to understand and must be located in a prominent location at the business and on the business's website, if it has one. For special categories of PII (geolocation data, biometric information, genetic information, racial or ethnic origin information, religious affiliation or practice information, physical or mental health information, or other personal identifying information that when processed is likely to create a significant privacy risk), the business must also specify the categories or items of special PII being processed and the purposes for processing that information.
|Security Program Required
The TPPA also contains certain “paperwork” requirements. All covered businesses must develop, implement and maintain a comprehensive data security program that contains administrative, technical and physical safeguards for PII. The safeguards must be documented by the business and appropriate considering the size and complexity of the business, the nature and scope of the businesses activities and the sensitivity of the PII processed by the business. Covered businesses must also implement an accountability program that includes a process to identify, assess and mitigate any reasonably foreseeable privacy risk, procedures to provide remedies for privacy risk, an annual assessment of the program and supporting policies and procedures, methods and procedures for responding to data breaches and for addressing inquiries and complaints concerning personal identifying information, and procedures for internal enforcement of the business's policies and discipline for noncompliance. Finally, covered businesses must maintain a privacy policy that articulates the processing practices of the business for PII, including any analysis or predictions made by the business based on the processing of PII by the business. The policy must provide an accurate and easy mechanism for individuals to access the PII collected about them and notify individuals of the business's obligations to discontinue the processing of and delete PII under certain circumstances.
|Individual's Rights
The TPPA gives individuals the right to access their PII. Businesses must allow an individual to promptly and reasonably obtain: 1) confirmation of whether PII concerning the individual is processed by the business; 2) a description of the categories of PII processed by the business; 3) an explanation in plain language of the specific types of PII collected by the business; and 4) access to the individual's PII. The proposed law also includes a default right to be forgotten. If an individual maintains an account with a business, the business must not only stop processing the individual's PII on the date the account closes but must also delete all of that individual's PII within thirty days of account closure. Any third parties that process the account holder's PII must be notified of the closure of the account.
|Third Parties and Liability
The term “third party” is defined in the TPPA as “[a] person engaged by a business to process, on behalf of the business, personal identifying information collected by the business.” If a business engages a third party to process PII collected by the business, the business must use due diligence in selecting the third party and ensure that the third party complies with the requirements of this law that apply to the third party. The business must also annually obtain verification from the third party that it is complying with the requirements. Third parties may only process PII to the extent the business is authorized to do so, and a business may not share an individual's biometric, health, or genetic information with a third party unless the individual consents to the sharing of that information. Third parties are also required to implement data security and accountability programs consistent with the requirements described above and must comply with the TPPA's cessation of processing and deletion requirements for account holders. If a third party violates any of the provisions of the TPPA, the business that hired the third party may not be held liable for those violations if the business did not have actual knowledge or a reasonable belief that the third party intended to violate these provisions.
Although the bill does not provide for a private cause of action, it does give the attorney general the power to bring an action against a business or third party and collect a civil penalty as well as reasonable attorney's fees, court costs and investigative costs incurred in bringing the action. The maximum civil penalty for each violation is $10,000, not to exceed a total amount of $1,000,000.
|Conclusion
If passed and signed into law, the TPPA would go into effect Sept. 1, 2019. However, given that there is only about a month before the Texas legislature adjourns and the fact that the bill has not yet cleared the House much less made it into the Senate, that date seems unrealistic. The bill will likely be taken up again next year.
*****
Eric Levy is senior counsel in Husch Blackwell's Dallas office and belongs to the firm's Financial Services & Capital Markets industry group. He counsels on cybersecurity risks including drafting privacy policies and notices and negotiating contracts allocating data protection and data gathering risks.
|This premium content is locked for Entertainment Law & Finance subscribers only
ENJOY UNLIMITED ACCESS TO THE SINGLE SOURCE OF OBJECTIVE LEGAL ANALYSIS, PRACTICAL INSIGHTS, AND NEWS IN ENTERTAINMENT LAW.
- Stay current on the latest information, rulings, regulations, and trends
- Includes practical, must-have information on copyrights, royalties, AI, and more
- Tap into expert guidance from top entertainment lawyers and experts
Already a have an account? Sign In Now Log In Now
For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473
How Secure Is the AI System Your Law Firm Is Using?
In a profession where confidentiality is paramount, failing to address AI security concerns could have disastrous consequences. It is vital that law firms and those in related industries ask the right questions about AI security to protect their clients and their reputation.
COVID-19 and Lease Negotiations: Early Termination Provisions
During the COVID-19 pandemic, some tenants were able to negotiate termination agreements with their landlords. But even though a landlord may agree to terminate a lease to regain control of a defaulting tenant's space without costly and lengthy litigation, typically a defaulting tenant that otherwise has no contractual right to terminate its lease will be in a much weaker bargaining position with respect to the conditions for termination.
Pleading Importation: ITC Decisions Highlight Need for Adequate Evidentiary Support
The International Trade Commission is empowered to block the importation into the United States of products that infringe U.S. intellectual property rights, In the past, the ITC generally instituted investigations without questioning the importation allegations in the complaint, however in several recent cases, the ITC declined to institute an investigation as to certain proposed respondents due to inadequate pleading of importation.
The Power of Your Inner Circle: Turning Friends and Social Contacts Into Business Allies
Practical strategies to explore doing business with friends and social contacts in a way that respects relationships and maximizes opportunities.
Authentic Communications Today Increase Success for Value-Driven Clients
As the relationship between in-house and outside counsel continues to evolve, lawyers must continue to foster a client-first mindset, offer business-focused solutions, and embrace technology that helps deliver work faster and more efficiently.